Malicious PDF — malware analysis report

Static analysis result for SHA-256 2bbdeb1a60bac1ec…

MALICIOUS

PDF

9.3 KB
MD5: b02dc965d7ba1b8d22c6a1aa58717498 SHA-1: fd34dec02d72e527c867ccc8226a07a1e8c99106 SHA-256: 2bbdeb1a60bac1ec85a53ef39c09106ed5cb0a0154f2e1754b3430afab32b3c5
66 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File T1204.002 Malicious File: User Execution

The PDF contains an embedded script payload, as indicated by the 'PDF_EMBEDDED_SCRIPT_PAYLOAD' heuristic firing. The ML classifier also strongly flagged this PDF as malicious. While the specific exploit is not detailed, the presence of an embedded script suggests an attempt to execute malicious code upon opening or interaction with the document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9977

Heuristics 3

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0000025b.bin
ae78f0d0db18125e95adb75087c035cf5b0fcaf226d95ab991468a79c970f77d		 pdf-embedded-script PDF decompressed stream script payload at offset 0x25B 9537 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.